Welcome to the 6th annual DEFCON Security Jam!
Woo!
You were supposed to shout free bird, you failed.
Free bird!
It's not time for questions yet.
Welcome, January!
Thank you.
Dude, your shit is not even blended.
Room keys, throw that way. Underwear, that way.
Don't confuse us!
We're not doing that again.
Yet.
Give it a few minutes.
Anyway, so this is the 6th annual FAIL panel.
Welcome.
Each year they let us stand up here and make asses of ourselves and you,
so thank you for coming.
It would be much less fun if we didn't have targets.
With the Flapjacks, we are this year making pancakes,
otherwise known as Flapjacks, as Chris mentioned.
So half the money we raise through your generous offerings will go to the EFF,
the other half will go to Barnaby's family.
And there's all sorts of crazy sauces and yummies
that will be...
put on the plate for you.
You have no choice what you get.
If you don't like it, tough luck.
So we have a variety of folks.
I'll let them introduce themselves as they do their spots.
I have a quick fail before we let our next volunteer do their thing.
I want to give the award to LogRhythm.
Who was at Black Hat this year?
Raise your hand if you were at Black Hat.
And if you were at Black Hat, did you stay at Caesars?
Keep your hand up if you stayed at Caesars.
Okay.
Did you receive one of these lovely shower hangers?
In your bathroom on your shower at Caesars.
Oh, well, you got lucky then.
So I'm going to give LogRhythm the award for creepiest vendor at Black Hat this year.
Because there's nothing like waking up at far too early in the morning
or late in the afternoon and going to take a shower
and discovering this hanging on your shower that says,
think you're exposed?
What about your assets?
And, you know, because nothing makes me feel like wanting to purchase something
from a vendor like being stalked first thing in the morning.
In the shower, naked.
Hey, David, the guy who came in to do it in my room opened my door and saw me there.
And I guess he decided he did not want to go in my shower.
So he just handed it to me and he ran.
Richard, your slide's done yet?
I just started.
Excellent.
I'll go last.
Okay, as usual.
Hey, can we look like we're professionals?
No, I usually go last.
Can we look like we're professionals?
He's searching Google for shit.
He really is.
He really is.
You're pulling shit off Google right now.
I can go whenever you want.
Absolutely.
You're on my slides.
Excellent.
Fuck you, man.
I got kids.
He's not using Google.
He's using Bing.
Bing.
Well, hey, actually, actually, being DEFCON and the DEFCON network,
well, being that it's DEFCON and the DEFCON network,
he knows that no one else is monitoring what's going to Bing,
so it's probably pretty safe.
There are two things I like to do in private and both have Bing in the phrase.
I think you scared Alex.
Where's the Bing in Shizer?
Or Goatsy.
Or Goatsy.
Or Goatsy.
Are you ready?
I'm ready.
Okay.
Jamie.
Take it away.
So I got a mic, a mic, a mic, and a no VGA.
This chick keeps turning off.
It wasn't me.
You got too much plugged into it, sir.
I got two fucking things plugged into it.
VGA?
Oh, hey, look at that, VGA.
I'll just keep my finger on the button the entire time.
Please connect directly to NSA.
Okay.
So last year at the FAIL panel, much like this says poisonous mic.
Labeling here sucks this year.
Last year at the FAIL panel, I did my slides on stage much as Rich is doing right now.
And hey, look at that, you can see my desktop.
You know, next year we should just all do our slides after giving our presentation.
You know what?
I could have done this with just preview, but I wanted to give you guys like a title slide so I could talk about how to discover that hotel internet is funny.
Wait, we're not projecting what's going on.
Okay.
I can see it there.
Now it's over there.
Failing over there.
AV people.
Here we fail.
There we fail.
Everywhere we fail.
Take it off.
Oh, take it off?
Okay.
Woo!
Baby!
Prepare.
Don't be a cyber douche.
So you keep blowing the circuit breaker.
Yeah, I know.
Oh, okay.
I'll hold it.
No, you'll hold it.
I can hold it.
I can hold it.
Keep your finger on the button.
Keep my finger.
Okay.
When you all start to see me shake, you'll know it's been being electrocuted.
Can I what?
In a round motion.
In a round motion?
Is that good for you, Chris?
All right.
So last year I did my slides on stage and that was fun and all.
This year I decided to be prepared.
So when I got to Vegas, I still had no slides.
What are you going to do?
They're having too much fun.
Does anybody stay in a hotel?
Anybody stay in a hotel that has no guest protection on its Wi-Fi?
Anybody stay in a hotel that has no guest protection on its Wi-Fi?
And I just lost my slides.
I think we shorted the whole stage out because I lost that screen too.
Okay, so I'm sitting at Caesars, trying to prepare for training.
Did you guys break something?
Yeah, we broke a lot.
There's no...
Hit the breaker down there.
Is there a breaker or did we blow the whole room?
Oh, no.
Anybody got a lighter?
No, there's no power down there, are there?
Anyway, so Rich and I are sitting in Rich's room, right?
We're trying to prepare.
We're looking at slides.
And all of a sudden, out of the complete freaking blue,
ThoseNoice沒 dispositivan
What are they doing?!
I have no idea.
All right, so you're just going to hold that circuit breaker open?
Mine's just still off.
No.
These are still off.
Just like that.
Call the union.
Ohw, there he is.
Half cooked pancakes are delicious.
Yes.
You ever had one of those moments when you knew that somebody else was in your computer?
You know, you got to Vegas and you forgot to turn on your firewall, right?
Because you know, failure, that's my modus operandi, bitches.
I look over at my machine because somebody else's desktop is on it.
Okay, out of an abundance of caution, I asked our local Mac security expert, Rich Mogul,
read his articles on Macworld.
I can't keep the Mac things straight.
Keep talking.
Oh, okay.
Please don't touch me there.
Keep the concert going.
Keep the concert going.
And yeah, so out of habit, when I'm working at home, I have some large number of monitors
in my office that exceeds sanity.
I habitually leave air server running because, you know, it's an easy way to take what I'm
looking at on my phone or my iPad and throw it to one of the monitors in my office.
Guess what?
People will promiscuously join any frickin' air server they can in the hopes that it's
the TV in their hotel room.
Right?
Raise your hand if you're promiscuous.
Jay Daniels wins on that one.
Jay Daniels.
My beard is.
Okay, so this is all funny for the moment.
Well, you know, Rich and I are trying to scramble to remember what's the hot key for screenshot
and grabbing phones and trying to take a phone picture of it.
Yeah.
And then, the music starts.
Yeah!
Yeah!
Dude!
So I've been fooling around with this, and for reasons that shall remain not astonishing
to anyone, I managed to lose a folder full of screenshots, but I did catch this lovely
one.
Which is the guy troubleshooting why he can't hear his YouTube video anymore.
I had perfect fidelity of it.
So as a call to action, as a go out and stamp out cyber douchery wherever, I will ask all
of you individually and severally to please run AirServer, configure your AirServer host
name as capital A, small p, small p, small l, small e, capital T, capital V.
.
I'm sorry.
If you're on a Mac, the keys you're looking for that neither Rich nor I could remember
are command shift 3.
Or 4.
Four makes you draw a window.
Three takes it in the instant.
Because AirServer by default fills the entire screen.
Just keep hitting those three keys while they puzzle out why their video disappeared or
their audio disappeared.
Or share their corporate secrets with you because they're dumb.
I'm going to say this.
As years of a Mac user, it is easy to be very secure.
It is foolish to just depend on intrinsic security because look at me, I've got a genius
to depend on.
.
Not Rich.
Although Rich is a different kind of genius.
Because he won't talk about it.
Anybody know who had 90 minutes to prep a Black Hat talk?
First talk of the morning, 90 minutes prep and he killed it for an hour.
There are no other professionals like that in our industry.
So my call to action.
Configure your AirServer as Apple TV.
AirServer runs on a Raspberry Pi, by the way.
And screenshots?
Send them to me.
So that I can post them and we can all titter in glee.
And if someone is so enterprising as to take my intellectual property and build such a
device, please someone make me a Raspberry Pi image that connects via Wi-Fi to whatever
it can and runs as an AirServer as Apple TV and screenshots once every second.
Build it.
Send it to me, I will give you all the creds in the world times one majillion.
Build it and you will come?
.
I did not say that.
.
It's like I walked right into that.
Walked right into it.
All right.
Can you do it?
Can somebody do it?
Is anybody better at scripting than me?
.
Yes.
Oh, you have a box that does that?
.
You're going to make one for me?
.
And he will come.
You rock.
Can we offer him something in congratulations and thank you?
Would you like a beer?
We have half done flapjacks.
They're almost done.
Oh, they're almost done.
Oh, okay.
That's not beer, man.
Remember the rule.
American beer is like sex in a canoe.
Fucking close to water.
Okay, close to water.
Awesome.
Thanks so much, dude.
Thank you very much.
You can get a pancake.
Or a beer.
Or both.
Beer and cakes.
Beer and cakes.
Put beer in the pancakes.
We usually do.
I'm not putting my tongue in his ear this year.
Wait, you're not going to put your tongue in my ear this year?
I'm out of here.
I just wonder where he is going to put his tongue.
With sexy results.
We have beer there.
There is no connection between the two.
Hey, Martin, want to try a pancake?
Is something broken again?
No, but I'll find it.
No, we don't have power.
No, it's kind of in a...
The light's on.
There we go.
Oh, it's my battery.
There you go.
Oh, it's done.
Excellent.
Let's hear it for carryover.
All right.
Thanks.
How do I safely...
Somebody find a really long extension cord and bring it to us?
We have a lot of stuff.
We have a lot of stuff.
We have a lot of stuff.
We have a lot of stuff.
We have a lot of stuff.
We have a lot of stuff.
More, again?
It needs to run over to Caesars.
Jason.
Let's go.
You do the bottom of your tongue.
That works.
All right.
Just waiting for the other side.
Hey, the donation box is looking really empty, so I'm going to put $100 in, which is now
low.
No, Jack.
You don't want it.
That's it.
I'll let you in.
Oh, that's a Canadian $5 bill, which is currently worth $10.
six dollars five dollars us because your economy we have oil and wood we can sell
you you should like some oil before or after the wood it is a great value
it's great value butter flavor for your pleasure yeah for your nipples
I would like some butter for my nipples please also could I get a little bit of syrup all right
so who's gonna lick the butter and the syrup off my nipples chocolate caramel or a strawberry
strawberry I don't want Canadians licking stuff off my nipples I have I have standards
haha
why a fork all right any word on slides on this side going once going twice no idea slides slides
they really want to see these though okay well in any case everyone lean over that way in effort
to get you guys moving along so you can hear from some of my other esteemed colleagues we'll just do
slides on one side while they work on the other
okay yeah this should be on the fail panel right the projector fail hey it's small wait a minute
that's what she said yeah I've heard that before mostly from rich though all right so we are so
screwed so a little bit about me my name is Larry Pesci and I'm a penetration tester hardware hacker
my employer was supposed to send me to DEF CON to come give this presentation as part of the fail panel and this is all stuff that I discovered was working for them and they laid me off last Monday
but a baby but yeah with an eight-week-old baby at home and a five-year-old but in any case tweeted and all that good stuff that I got laid off I got laid off at 1030 in the morning and I had an offer letter by 7 p.m.
it was and I took it
where can we buy it you porn wait no all right so based on the fact that I am currently technically
unemployed because I don't start with the new company for until the end of the month I had to do a little bit of redaction to sort of protect the innocent and the fact that I can't afford a lawyer right now because I'm not getting
So donate a lot of money so he has a lawyer when he gets sued.
Yeah.
So to that former network guy in a past life many years ago, instructor, certified instructor
of the SANS Institute, a member of the Paul.com Security Weekly group.
Yay!
And I'm also an extra class ham radio operator, which is completely irrelevant to this presentation.
You have no sex life.
Right.
Well, I also have kids.
Right, Rich?
They are mutually exclusive.
Yes.
So what is this whole talk that I'm going to talk about?
So I had just changed jobs, fuck, really, and again, but I had just changed jobs into
the energy sector.
So I had been doing consulting for penetration testing and all sorts of industries, but was
now specifically tailored to just pen testing and hardware hacking in the energy sector,
which was a completely new thing for me.
I had never done any work in the energy sector, so there was all sorts of new terms and things
that I had to understand.
It's a whole new industry, and on day one of my new job, I was on a plane to a client
site.
Excellent.
And I spent ‑‑ and after about six weeks, we find out we're going to come to the fail
panel, what am I going to talk about?
And this was my impression of the energy sector, security in the energy sector, after about
six weeks on the job, and sort of why I think that.
All right.
So day two on the job.
Hi.
Howdy.
Okay.
So day two on the job.
You don't mind if I rub back, right?
You know the rest of us have been telling the screwed story for years, right?
Yes.
Do you now understand why we are the way we are?
Just wait.
Yeah.
But wait.
There's more.
Wait.
There's more.
He slices, he dices.
Yes.
And there's more pancakes, flapjacks.
Yay.
Yay.
All right.
To be honest, the first time I ever saw a naked man on a wireless router was Larry.
I had that picture.
I had that picture.
I had that picture.
Did you bing?
Did you bing it?
Everybody's got a snake bank on the drive, don't they?
You have the picture, but I have the life-size cutout in the basement, and it has made many
rounds around our house in various closets, and you throw it in the pantry, and my daughter
goes and opens the pantry and goes, and then closes the door and waits for mommy to go
to the pantry.
Mommy, why isn't daddy's router bigger?
Yep.
Wow.
Wow.
I'm not even going to touch that one.
It was a Linksys.
Yeah, it was a Linksys.
Small antenna.
All right.
He had very small gain.
Yeah.
More than yours, though.
That's all right.
That's okay.
See, I don't even feel it.
All right.
So in order to understand a little bit about some of the reason why I think this whole
energy sector security stuff is so important.
is totally screwed. We need to understand a little bit about AMI and that's
advanced metering infrastructure not the AMI BIOS folks and yeah I didn't know
that on day number two of my job either so needless to say there's lots of new
acronyms and all this type of stuff in the energy sector that I had no idea
about and took a little bit of explaining but that's okay so let's
understand a little bit about AMI speaking in general sort of terms no
particular vendor and those types of things so what we end up with is a
meter on your house that reads usage metrology and that metrology now needs
to be reported back to the provider so to the energy company so they know how
much electricity you're using or how much gas you're using so that metrology
gets sent over a network via some sort of mesh network or some sort of
aggregation device and that aggregator connects back to the utility which then
connects to a system potentially in a DMZ
which you'll see in just a few minutes.
which then the accounting folks then connect to from their internal network. So now you
can start following the path from a meter to a host on the internal network. Great.
So these are actual meters and or smart meters. It all depends on the type of device that
are installed. So you can multiple different types of meters whether they be smart or
otherwise that do have some sort of wireless technology to be able to contact this quote
quote aggregator. The first week on the job I got to pen test one of these aggregators.
So what did I find? Unfortunately crossing your arms doesn't hide the boner.
And tweak that in two. How close are we to getting a rich mogul naked speaking of boners?
Sudu take off your pants.
I'm going to take off my pants.
Password please.
One, two, three, four.
And SSH key.
Password one.
We'll save that. We need to get more money out of these people before I drop
trial.
Isn't the password always the same as the luggage?
We crossed 500 in donations. Thank you people. Let's keep it going.
Rich! Rich! Rich! Rich! Rich! Rich! Rich! SUDO!
Do you want this or just that?
I think your pants are worth a thousand dollars this year, Rich.
So I'm running for Congress!
Quick, get your iPhone!
Pull out! Pull out!
Everyone's a wiener.
I'm running for District 5 in Phoenix!
District... I don't know.
Wait, wait, wait, let me back up, let me back up.
Yay!
All right, wait, so what do we get if we get $1,000, Rich?
He loses the shorts.
We get to tie Dave to a chair with his pants down.
Oh, very good, there you go.
Yeah!
So, Rich, as an analyst, is this the first time you've had money stuck in your face?
No, no, it happens a lot.
Wow.
I believe I may be the only person in the industry to have dropped my pants at both RSA and DevCon.
Nice.
Multiple times?
Well, yeah.
It's all about the multiples.
You want pancakes?
Raise your hand.
I can't get this off.
That's what she said.
All right, so, speaking of boners, the first aggregator device that I got to test had Ethernet and a serial port externally accessible.
Winning.
However, the Ethernet was all shut down, all that good stuff.
The serial port had a password on it, which was very good, highly, high entropy on that password.
So, doing some brute force against it wasn't going to work for us.
So, that was pretty good.
However, we can still observe all of the boot process and get all sorts of information about it via the serial port.
And then we look and discover this other port.
And, yes, the boner police have come for you.
Yeah, so we open up this other port, and there's an SD card inside.
Yeah, what could possibly go wrong?
Now, this is a device that is hung on a telephone pole 12 feet up.
So, you just need an extension ladder to go be able to acquire one of these SD cards.
Yeah, so, great, SD card, but what the heck's on it?
So, the manual complaint.
It claims that it contains the operating system and configuration files for the device on a hidden file system.
Yep, so, by the way, day two on the job, okay, so I removed the SD card and threw it in my Mac with the built-in SD card reader.
It mounted, or attempted to mount, didn't find any file systems.
I'm like, crap, hidden file systems.
How'd they do that?
So, I made a DD image of the SD card.
I couldn't identify any of the images on the ISO either, so no big deal.
But I ran strings against that ISO image that I had taken from the DD and found all sorts of interesting stuff in what appeared to be configuration from the entire disk image in plain text.
So, great, hidden file system, unencrypted.
Okay, so, I put the image on my own SD card as to not damage the original, put it back, yep, and moved the device over to my Linux workstation so that I could attempt to play with it, and I plugged it into an Ubuntu 12.04 system, and it auto-mounted six EXT3 file systems.
Wait, I thought it was hidden.
On Windows, it is.
You realize at this point, if the vendor were to release a vulnerability, they'll say, it's in a hard-to-understand format, so we're fine.
Yes, yes, and I think that's why it was hidden.
At least it's not proprietary.
Yeah, at least it's not proprietary.
Just you wait, just you wait.
Open systems.
Yep.
All right.
So, I start going through.
I go through the file systems and search for configs, and I find that there is a running and a, quote, golden config.
And when you change the running config on the SD card, it detects that changes were made and boots the golden config.
So, I changed both.
So, I changed the running config, modified that, detected that it was changed on the next boot, so it automatically started the golden config, which I had also changed to include my own local user and password to one that I use.
So, now I'm root on the system.
Insert.
And, by the way, they were attempting to get away being able to modify some of those files on that SD card by using Unix file permissions.
So, they were owned by root.
So, they were owned by root, so guess what?
It forever my student's file system, so I have the right to change those files.
I used my SD card with the beta to reboot it and now I am root on my system.
user account on the device before tax accounting starts up because tax accounting has to wait
for the 3G connection to start. So I now have full control of the device and the device
contains Wi-Fi access point which connects outbound over the 3G and because I can configure
it, well, now I can set up routing and offer free Wi-Fi for everyone in the neighborhood.
Amongst other things.
Could you narrate the pictures on your slides?
That's the point. All right. So the initial vendor response was oh, but you didn't use
your high security mount for mounting this on the pole. You mean the one with the big
hole in it so you can still gain access to the SD card slot? No. And aluminum that we
can take out with a crowbar? Awesome. So we contacted the vendor through our call
client and they said sure, how about we just put a password on the config file? I'm not
exactly sure what they meant by that, but I don't think they were either.
Are you saying that you have a shortcoming in your security knowledge, you can't put
a password on a file? Well, you can, but yeah, but how are they
going to start reading it and then putting the password in memory and
Just put it in the beginning of the file.
Oh, so include the password in band. Yeah, all right.
Hey, I like that.
We're talking about music here, buddy.
Not yet, right? All right. So when we talked to the vendor, we said, you know, guys, that
was really dumb, vendor. How about we maybe work with you on a contract to test your stuff
before you deliver it to customers? And they said, oh, well, we have a team that does that
for us. An internal team. Yes, they must be awesome. If my calculations are correct, you
suck. And yes, I bet you all read that in Doc Brown's voice.
Yeah. Titty sprinkles, right? All right. So I finished that engagement,
spent a week back at home. My tenth day on the job, I'm back at another vendor or another
customer, and I'm pen testing a different device from a different manufacturer, but
with similar type of function. So another one of these aggregator devices.
This one was really well secured. Same thing for serial port. No exposed SD card. I'm going to go ahead and show you this one.
Ethernet was fully shut down. You name it. But in due diligence to the customer,
we asked them to log into the device for us. And then we were going to review all of the
settings on the system. And it was a Linux based system. So we wanted to review the Linux
config to see if there was anything that maybe they had made some mistakes. Go figure. So
Unix based operating system. Serial and Ethernet were externally accessible. Okay. Once we
logged in, we were taking a look to see what had been done for hardening. And the first
one was a distinct lack of Etsy shadow. And all the passwords were an Etsy password world
readable. Thank you. Okay. Yeah.
So next what? I'm like, all right, well, let's do what I just did last two weeks ago
and see if I can get a DD image from the system. So I started trying to do DD over Netcat.
Unfortunately, the user that I was logged into the device did not have read access to
the entire file system. So it failed. So I could not get my DD image to my local workstation
after enabling Ethernet and all that good stuff. And it was also in I don't know what
ten years of pen testing. It's the first time I ever used Netcat in a pen test. Yeah.
Sorry, Ed. All right. So start looking around the operating system and find an application
problem.
This is an app proxy. Which gives the user the ability to leverage privileged commands
from a nonprivileged account. Much like the one that I had. And this sounds just like
pseudo to me. But it wasn't pseudo. So they kind of reinvented the wheel.
Again. Again. So the command has been obscured to protect the vendor. So we start
looking at the output of the command for the app proxy. The app proxy, the dash A gives
us the level of access needed.
Sweet. The dash C is the command that we want to run from a whitelist of commands.
And the dash P gives us the command line options to said command in the whitelist.
Did you guys see any authentication for using a potential system level command in that
whole setup? Yeah. No, me neither. It didn't require any additional username and password
much like sudo mine. And just granted access to those privileged commands in the whitelist.
However. It turns out that the dash P flag doesn't do any sorority checks or filtering.
So you pipe the output from one of those whitelisted commands like ipeg config and
then you pipe another command that you want to do to it. And it executes it happily as
system. Yay! . serait
bares Rangers.
Okay.
So I get a copy of the image via Netcat via this privilege escalation.
And I start doing strings against the image and find a bunch of databases and database
definitions that include commands such as create table, ID integer name text, salt text,
password text, update date, date and the primary key, name, salt, and password.
Great.
So they're storing the password and the salt as text in this database.
No.
It just gets better.
Now that said, just pancakes, pancakes.
Anybody want pancakes?
Flapjacks.
Flapjacks.
Flapjacks.
Flapjacks.
Flapjacks.
Flapjacks.
Flapjacks.
Come on.
We want flapjacks.
Raise your hand for pancakes.
Over there.
Raise your hand.
Keep them up.
Keep them up.
Wave money for pancakes.
Wave something else if you want something else.
Yeah.
All right.
Maynard still has his shirt on.
Don't worry.
He will get it off.
Oh, yeah.
All right.
Another few hundred bucks and that will go.
Sweet.
All right.
So I had no idea what database this stuff was from.
for or what these passwords were used for. But either way, it's still not good because
now I have access to the entire image. I have potentially databases.
That feels good. I'm from the vendor. I'm here to make sure
you don't complete this talk. Nice. All right. So the vendor response
on this one, we're still waiting for a response. And, well, I don't work there anymore, so
I'll probably never find out what the response from the vendor was.
Let's do it like this. I don't know. I'm wondering why they ran
out of D on their salad sign, though. Oh, I see.
Try your Asian salad. They couldn't find the capital D, so they had to use the upside-down
P. I don't know. You're absolutely right.
Yeah. So here's the final fail. What? Too much?
When you got to go, you got to go. Hey, who wants pancakes?
You can tell how many people here are not parents.
Yes. That's nothing if you're a parent, right? Except that the ass is a little bit
bigger. All right. So this one was pointed out to me by my former boss who asked not
to be named. And so I asked for some help figuring out some information about utilities
and pictures and all that type of stuff. And he sent me to Flickr for a, you know, like,
interesting government agency that supports energy in Tennessee. And I will leave it at
that. And these did get reported to said government agency, and they removed them from their Flickr
stream. However, you know that saying that some creep has got a copy of everything on
the Internet? Well, yeah, sometimes that creep is me. So once they had already removed them,
I still had copies. So once it's on the Internet, it's already there. You guys know that.
So let's take a look at this particular case study.
So here's a picture from their Flickr stream for their marketing purposes.
Oh! It gets better. So I'll call out some specific
things for you. So we've got a picture of a badge. We've got plant control software
running on XP. We've got security video cameras. And now we can potentially gather their locations.
And we have a gentleman by the name of Rick's phone number. Two of them.
Well, look, you also have this nifty red jacket right here. What do you think?
Great.
Is that members only?
Members only.
Might be. Might be.
So wait. You found the most advanced power plant in North America because they're
on XP.
Yes. Yes.
If any of you think I'm joking, look at my resume.
Yep. He's not. All right. So there was another picture on their Flickr stream
as well. Sweet. What could possibly go wrong? Well, a whole bunch of stuff.
XP.
Right. DR plan.
Yep.
Not enough tissues.
So the flyaway book is their DR plan underneath a box of tissues because apparently
it makes them cry.
Right. Is it crying that the tissues are full?
Yeah. It's definitely not the other one, Dave. Trust me. So we've got XP in the
background in the cubicle. We've got XP running on this big display. And what appears to me
being IE7. We've also got
Is that the Tennessee Valley Authority?
Yes.
Seriously.
Yep.
This is the most advanced control room I've seen.
Yep. And so this fine lady is sitting here taking a picture over her shoulder. And if
we look at the system, there are three monitors connected to it. How can I tell? Because the
background, the desktop background was customized by her to look like a picture of family because
we see legs at the bottom. And it is the same on two monitors. So that at least those
two monitors are probably connected to the same system using the same Windows background.
I don't know what that is. But in any case, it looks like there's some sort of plant control
or plant monitoring software on one workstation.
Don't forget the Boyd cone.
Yeah. I didn't know. I didn't. We're running
You don't want to rub it in too much.
I don't want to rub it in too much. But we're doing some sort of plant control and monitoring
on a machine that has access to Outlook.
But hey, that seems completely safe.
And Office running
That's kind of sketchy.
Most advanced power plant in the country.
What could do you wrong?
Did you see there's a clock up here?
I did.
But it's analog.
That means there's probably nothing we can do with that.
Probably not.
It's guaranteed incorrect
relative to the grid.
Seriously.
You need to use something
better than NTP.
You want to find a cesium clock source?
Find a power control room.
They'll have two and they're using
a battery-powered clock on the wall
they got from Ikea.
They have cesium
source time
and they're using a battery-powered clock
from Ikea.
Or Walmart or whatever.
And if you zoom
into this particular picture,
this is Microsoft Word on the right
hand side, which is a procedure with emergency
contact numbers.
Winning.
Based on my six weeks of experience, we are
so screwed.
They're in an industry that we are starting
to tell them, you guys need to start
at the beginning and stuff.
By practicing defense in depth because you're not even
doing that.
2003 called and they want their security program back?
Yeah.
So last year I brought
you guys Afro Circus to make everything
better, right?
So I don't
have anything quite as bad as Afro Circus.
I'm not going to plant the earwig for you guys
this year. However, I do
have some Deadmau5 for you.
But it's not going to be the earwig
that I plant.
It's the eye wig.
So to make it all better...
Wait, wait. Anyone want pancakes?
No, no, it's okay. Oh, alright.
You'll want pancakes after this.
Because you do not want the dry heaves.
You'll actually want something to throw up.
Because
Deadmau5 is always better
when cats
throw up to techno.
Yeah, I just Basically...
Wait for it.
Wait for it.
Donations for
Donations for
Donations for
Donations for
Donations for
Donations for
Donations for
Don't worry, this is not a 10-hour video.
Yes, I'm going to play the whole thing.
Flapjacks, anyone?
Hey, hey, hey, hey, now.
How long did you spend collecting these videos?
YouTube, YouTube.
And here comes the money shot.
See, cats throwing up to techno always makes everything better.
There's something wrong with us.
You guys want to see that again?
All right, so with that, who's next?
Ideally, that would be Mr. Robert Graham.
Mr. Robert Graham to the podium.
Mr. Graham, did you finish your slides there?
Yay, yay, yay, yay.
Do you need my DisplayPort adapter?
Yes, we're all going to need it, because we all use it.
You guys all need it.
We need to see the melting .
We need what you've got.
Thank you very much.
Thank you.
You guys will never listen to Deadmau5 the same way again.
I don't know if I know where to begin with.
Pancakes.
So while Rob makes his way to the podium, I'd like to give you some background about Rob.
He's somewhat of a cheater.
He broke the rules.
We all, like normal people, do our presentations five to 15 minutes before this panel.
Rob did his last week at home before he even got on the plane to come here.
So don't be amazed at anything he talks about.
It was all done a week ago.
Whoa.
Come on.
I didn't even pick a topic until I got here.
Actually, Rich is true.
He's a genius.
We're talking in the, or not.
I assume you were rich there to my right.
No.
I'm not rich.
That's why you're looking at my chest.
Wait.
Hey, Jack.
How much money do we have and what part of Rich's clothes are coming off next?
So anyway, Rich seriously, we were in the speaker room about an hour before the talk,
and we were just saying, what should I present?
And then he was right here a few minutes ago, furiously putting together slides.
Hey, just a quick update.
We have raised about $1,000 so far.
That's $500.
That's $500 for Barnaby's family, $500 for EFF.
Give till it hurts, although actually the...
Barnaby Jack's family does.
Yeah.
EFF and Barnaby's family.
They're trying to ship them home to New Zealand.
Yep.
And give till it hurts, even though we're making you hurt up here.
So...
Hey, Jack.
Don't go away.
Because you know what?
I don't have a job, technically, because I don't start till the end of the month.
But you know what?
Here's $100.
I love the cats.
Is that when Mark takes off his pants now?
No.
Yes.
That's when I keep my pants on.
Take Ross pants off.
No.
Would somebody go in the hallway?
There's like 100 people out there who didn't hear the call to get some more money.
Can we just yell it out louder out there?
Because we got a really teensy-tinesy room this year, and there's a lot of people who
want to see...
This is sort of like .
Oh, yeah.
All the panels...
Who do we piss off?
Everybody.
I'm sorry.
Everyone.
Actually, this was the panel room, so all the panels come here.
That's why.
So my talk, I'm starting with this picture.
So can we...
I think we all know what this picture is.
It's a gold-plated fiber optic cable.
And so the gold...
This is a Monster.com cable.
They'll charge you $150 for it.
It's better than those mere $2 cables, because it's got gold plating to make sure the fiber
optic connection is better.
But Ross...
Yeah.
What does gold have to do with fiber optics?
Is it oxygen-free fiber optics?
I don't know.
Lead-free, probably, and environmentally sound, and...
And you look at the...
And we all know the Monster company, their marketing around this is that it gives superior
lifelike sound.
But this is a digital cable.
The bits that come in are the same bits that come out.
As long as that condition is true, every cable is equal.
You can't add somehow to the digital signal.
Monster can.
Except for Monster can, apparently.
Oxygen-free cable.
Please.
Marketing.
But Rob, what does gold have to do with fiber optics?
I don't know.
And so this is sort of digital astrology, that somehow we can add to the bits.
That there's some magical mysticism we can add to the bits.
And we laugh at Monster.
But fewer of us laugh at television sets.
So we all go to Costco when we go down the aisle of...
Or Best Buy.
We go down the aisle of television sets, and we sort of pick the prettiest one.
But the thing is, in the old days, I guess, in analog TV, and by the old days I meant
before half of us were born, TVs were analog, and yeah, there was adjustments you could
make to the TV to fix things.
But with digital TVs, it's digital, it's the same concept as the Monster cable.
It bits in.
It's 24 frames per second, it's 1080i or 720p, 24 bits per pixel.
And that's the color.
And there's no...
Any adjustment you make on that is degrading the color.
You're not improving it.
And so digital is digital.
And so anything that it does to make a vibrant, optimized contrast in color, it's making the
picture worse.
And that's why you get these TVs.
And that's why you get these TVs.
And you go home, and in the showroom you have these nice pretty pictures with lots
of colors.
And that color is really vibrant, and you really like it.
But then you get home and you try to watch TV on it, and everything is crap.
Like you're watching Star Wars, and Darth Vader is just this black blob, and Luke is
this white blob, and all the colors are so saturated.
And that's just racist.
Can you get prescription glasses, Google Glasses, please?
Because obviously you're not sitting close enough.
And...
But Rob, what does fiber optics have to do with gold?
So you take a movie and watch it on your iPad or your computer monitor,
and it looks correctly.
You can see the foals in Darth Vader's robes.
You watch the same movie on TV, and you can't make out the details,
and it really pisses me off because I've bought two TVs now
that no matter how many settings I go through,
I can't get to what a computer monitor shows.
So the factory defaults are the wrong defaults.
The factory defaults are the color and the contrast and the sharpness
and all this other nasty stuff that they've distorted the digital signal.
But it looks great in the store because I bought it, right.
Maybe a different cable would help.
So there's this company called eColor that produces,
in case all the distortion already on your digital TV,
is not enough, they'll sell you a box to do more.
And, you know, the preserving skin tones and colors and brightness and contrast,
the same nonsense that Bravia or Tonya is advertising.
And it's a simple device with just HDMI in and HDMI out,
just going through some algorithms on FPGA.
Because, again, it's all digital.
You're running through some mathematical stuff on FPGA, and you're great.
So, Rob, what does gold have to do with fiber optics?
So, so I'm here to liberate these chips.
You have these FPGAs in the service of evil.
So I want to liberate the chips.
So now I'm going to do that and grab, and grab the, actually, can you grab the, this thing?
Yeah, that's what I'm doing.
That's what she said.
So, so this is the box.
You go onto Amazon.
What's great about this is it's a $300 device.
The FPGA itself is a $50 chip.
But since, in actuality, these things suck,
and only morons buy them,
you can always get them used on eBay or closed out on Amazon or something for, like, $10.
So I got three of these boxes for $10.
Each.
It has a button.
And so there's, like, all this crap in here and stuff that you don't want.
You don't want any of this crap.
You got the device.
You got the power supply.
You got the little remote control.
The box.
So, yeah, and you have this device here, and it comes with, you know, a little protective plastic
because you want to keep it pretty because it sucks.
You got your little power supply.
And the power supply you sort of need, but you don't need this other crap.
And so this device, I spent a long time trying to get the case open so I could actually preserve the case,
but it's all glued together, so you just got to break it.
And once you break it, it doesn't go back together again.
It's just broken.
So you have this device here, and what you have is, it's really hard to see, so I'm going to try to use the display here.
Photo booth.
Let's try this.
So you can see there's three chips on this.
There's HDMI in, HDMI out, and then there's the FPGA in the middle.
Now, as hackers, what we know is that every device in the world has a JTAG debugging device.
So you can see there's a JTAG debugging port on it.
And usually the first thing we do when we grab a device is go hunting for the chip pads,
the pads on the motherboard, to go solder on our connectors on it.
But luckily, these guys right here, you can see, they already have the JTAG interface on it.
So that's awesome.
But Rob, what does gold have to do with fiber optics?
These JTAG pins are gold-plated for enhanced sound.
So what we're going to do is, can we have JTAG, which means it's a back door to the FPGA chip?
Could you plug this in on a power supply thing over there?
You can try here.
It doesn't work.
Yeah, but there's nothing over here that works.
Oh, here.
We can just take off mine.
I'll take off one of those for a moment.
Here, this one is yours.
That's fine.
Okay, so this is nice, powered up.
Can you hand me my other notebook there?
Wait, there's a camera.
Can we not look at your belly?
Keep going.
No.
You got it?
Okay.
Anthony Weiner.
Oh.
Oh.
Apparently Anthony Weiner's name will stop electronics.
It's probably gold-plated, too.
If you all close your eyes and really believe, he'll show us his Tinkerbell.
And yes, that is what the kids are calling it.
For those of you who are new in the room, welcome.
Bring money down here.
Get your flapjacks over there.
No, it's great when you say that, because it just sounds like you're giving money away.
Bring the money over here.
No, the money is going.
Half of the money donated today is going to Barnaby Jack's family, and the other half is going to the EFF.
To be more specific, Barnaby Jack's family is trying to fly him home to New Zealand, which is where he's from, if you didn't know that.
So that's rather expensive.
Oh, didn't know that.
Jack.
Who's okay giving it up to Barnaby's family?
You're going to the EFF.
We can do that.
So anyway, this is just a standard JTAG dongle, attached via the USB port.
Wait, Rob.
Did you say dongle?
I'm tired of this.
And my fly was still down.
So we just plug into the JTAG port, get to the back door.
So we don't care about the HDMI interface and what we're doing.
what the hell this device is, other than it's evil, and we need to expunge the spirit.
So I've downloaded the Altera FPGA software. So all I need to do is connect up the chip,
scan the bus for the device, and then upload it. And what's the upload key?
It's his first time. He's never presented before.
He won't remember what it was like, but he'll know he'll want to do it again.
So I practiced. That's what Dave was talking about. I practiced this to make sure I was getting it right.
Now I can't even find the upload key. Don't throw them, Alex. Throw them hard.
We can't give you beer for money in Vegas for some really weird reason.
However, we can give you sex for money. But we can give you beer and you can randomly
donate money next to us.
Michelle, it's American beer, so it is water.
Also, remember, Rich is available for private lap dances. So am I.
Those guys on the street, they work for me.
Oh, come on.
Live, new riches, right to your room.
I get really interesting responses when I show up to those rooms, I'll be honest.
I will not throw a beer.
Next time you need to talk to me.
Use a trebuchet.
So I practiced this for two weeks, well, two weeks ago, to make sure it would work when I got to DEF CON.
That's what he said.
Had all the applications set up and ready to go. All I had to do was plug it in.
How's that working out for you?
But Rob, what does gold have to do with fiber optics?
So, and it's not working.
Okay.
If you need a pancake, Jason has some, so raise your hands if you want a pancake.
If you need technical support, I'm the analyst.
Jason.
Okay.
So I had to plug it in the right way around.
That's what he said.
So what we see here.
So what we see here, we've connected to the device, we've identified the FPGA chip and the model number here.
I downloaded this SOF file, that's the FPGA description from the internet.
There's a project up on GitHub that has all the Bitcoin mining software.
That can just download to the FPGA.
So now I'm downloading it and we'll see if it works.
It usually doesn't the first time, I have to actually hit twice.
I don't know why.
Play with it a little bit.
Jiggle it around.
Play with your .
Okay.
So that appears to have worked.
Show the video to start.
Wait, what?
I don't know.
It works for me.
Show us your GitHub.
So now we've downloaded Bitcoin mining software to the FPGA.
Now we're using a little control program to do the mining and send the results back up to the internet.
Is that on there?
Yeah.
The password's on there.
Oh, cool.
By the way, my password for a lot of things is foobar123.
So if you're looking for my last FM password or my strat4 password, that's usually my password.
But Rob, what does foobar123 have to do with gold?
But what you'll notice here is my username is not Rob Graham.
So my password is 123.
You can go hunt down what my usernames are, what my email addresses are.
They tend not to be Rob Graham.
I've actually used Kevin Mitnick a lot.
How about Carlos Danger?
Is that going to work?
So this is actually kind of slow.
It takes a while.
But it's actually running here.
It looks great for a live demo.
So, yeah, you kind of don't really see it from the live demo.
But what you see up above is what had been running for two weeks before I came here.
I just put the machine to sleep.
He even admits it.
He was cheating.
Yeah, I'm admitting I'm cheating.
So you see it's created one, since I've been here, it's created one chunk and sent them up to the server.
And you can see over time it does about 14 mega hashes per second is the rate at which it does this.
It's pretty slow.
It's faster than a desktop machine but slower than a GPU.
But it's only using two watts of power.
And it costs $10.
And it cost me $10.
So that was my chip liberation is taking this evil company, making evil products, and liberating the chips from it and doing something good.
And how much money have you made?
Less than $10.
There's more gold in fiber optics than that.
That means he's done.
So this is a very special fail panel.
We've expanded the members of the panel.
We have a fail panel virgin on the team.
And our first female fail panelist.
But not both at the same time.
So we didn't warn her.
We're going to put her up on stage right now.
But I think it's a good time.
Yeah.
It's all.
And mostly because she's not drinking enough and is a fucking lemur.
So okay.
Here we go.
So I said to Rob, I said, I need to borrow your computer here.
I've got a USB drive.
And he said, seems legit.
And he plugged it in.
.
It was gold plated.
Yes, it was gold plated.
But Wendy, what does gold have to do with fiber optics?
Oh, just wait and see.
But Dave, why is my penis in your ear?
I'm trying to hear you come, obviously.
.
I just heard something.
.
.
It was very small.
.
I'm a white Jewish boy from Jersey.
It's not going to impress anyone.
.
It's not the size of the penis.
It's the amount of syphilis you have.
.
No, it's not the size of the ship.
.
And it's not the motion of the ocean.
.
It's whether the ship can stay in port until all passengers have disembarked.
.
.
I got three kids.
Call me sniper.
One shot, one kill.
.
.
It looks like we're a little over $1,500 right now.
.
.
And I want to give a special shout out to Sky Talks just threw $200 in.
.
.
And let me just say, I'm a big fan of Sky Talks.
.
In the security community, we often focus on some blowhards and some FUD.
.
You know, you'll be startled.
.
There actually are some assholes in this community.
I heard you mention my name.
.
Fuck them.
.
There are some awesome people sitting around you.
.
Maybe even sitting on this panel.
.
Yeah, absolutely.
.
So as you're exhausted and trying to focus on getting through it, remember there's some
awesome people around you.
.
Have a conversation.
.
And people just open up.
.
So anyway, there's a bucket here.
.
It looks pretty good, but it'll look better with a little bit more in it.
.
That's what she says.
.
Speaking of she, hey, Wendy, what's going on?
.
Hey, hey.
.
It looks like blah.
.
We did $1,900 last year.
.
We did 19, wait, what did we?
.
$1,900 last year, is that what it was?
.
Okay, okay, we can do better this time.
.
Hi, everybody.
.
I'm Alex Rothman Shostak, Esquire.
.
.
.
.
.
.
This is the proudest move in the history
of the panel.
.
Hi, mom, how are you doing?
.
I'm great.
.
I guess you're a friend of 10,000 people, huh?
.
2,000, but that's close enough.
.
.
Hi, mom.
.
Can you hear me now?
You wanted something?
What's that?
I was waiting for Squawking to talk.
Anyway, I just wanted to talk to you guys before you left the country.
We hope the rash cleared up.
That would be great.
Okay, thanks, Mom.
Bye.
Bye.
And take out the garbage.
You really have to give it up for him.
Seriously, who else would let their mother hear this play?
Dude, at DEF CON, everyone had your mother.
There's room for more.
All right.
Staying in court.
All right.
All right.
All right, so...
Hey, you with the beer.
Come back here.
Please say thank you.
Hey, Wendy.
Are you going to be talking about blah?
Yeah, I am Alex Rothman, Showstack Esquire, and I'm going to talk about...
Well, let's just say that I listen to presentations for a living.
And, yeah, bring me some more to drink, please.
And so after the first few hundred of those, it all starts to look like...
It's like this, and I wanted to share this with you.
Vendor after vendor after vendor...
Hey, quick pause.
Have you ever seen Deadmau5 in a presentation?
I've heard Deadmau5 and seen some pretty...
All right.
This is still not enough for vendor presentations.
We're going to need Wendy to shotgun a beer.
We will donate money for her to shotgun.
We will donate money for her to shotgun a beer.
And we're giving her fine American beer, otherwise known as crap.
Can't you give a virgin something a little bit better?
No, no, no.
She's a failed panel virgin.
No, no, no.
You're a virgin?
No, the bourbon is bad.
Who's got bourbon?
No, in...
Wait, there's a virgin?
What kind of scotch is that?
Oh, yes.
Single malt.
Single malt.
I'll take it.
I'll take it.
None of this bourbon shit.
Thank you.
Wait a minute.
Wait a minute.
Out of the bottle.
Out of the bottle.
I want this stuff.
Wait.
Wait.
You're a virgin with bourbon?
No.
Drink that one.
I want this one.
You're not a health inspector, are you?
Hey, look, everybody.
There's a redhead with beer.
So at SchmooCon this year, I...
At SchmooCon, I got up on stage,
and somebody handed me a really large plastic cup,
with what I later found out was rum.
And 15 minutes later, at the end of my talk,
I went off the stage completely wasted.
Listen, everybody,
can somebody get a picture of her
with the bourbon right there for her RSA photo?
And please label it Alex Rothman Showstack Esquire,
because otherwise I have to explain to my boss
why I didn't save some for him.
So, anyway, so this is what it all starts to look like
after a while,
and I wanted to share some of my paintings,
and I wanted to share some of my work with you,
because, of course, every presentation starts with,
there are bad guys out there,
and they're trying to put a big-ass key into your computer.
But just to make sure we're all on the same page,
are there bad guys out there with big keys?
Well, some of them think they're really big,
but they're not that big.
It's all about key length, right?
Right?
Right?
What?
So, yeah, more...
More blah-blah because generations,
because we don't understand these people,
but they wear masks.
I really like V for Vendetta.
Yeah, yeah.
Then, of course, there are scary, scary numbers,
lots of scary numbers, usually percentages
that have nothing to do with anything else,
but, of course, you know, they have to wind up
with some really big, scary numbers.
What's the biggest number you've seen?
Oh, I can't talk about that in public.
Unless it's okay with you.
It's okay with you if I...
He just wants to brag about it, that's all.
And then, of course, everybody's got a solution.
Hey, I didn't know you were using my picture.
Everybody's got a solution.
Have you noticed that every term in security was made up by...
Is that a spider?
...was made up by people who desperately want to be macho,
so they use all sorts of law enforcement
and weapon and violence things.
We have secure ninjas and knights and spears and blood and...
We don't have hairballs. We need security hairballs.
My DHS SOP states that I have to secure this presentation
as a TSSCI because you haven't went through an SSBI.
Yes, I do. Thank you.
So, actually, I don't know why they keep going with this macho stuff
when this is just as scary.
That's my mom!
Wait a minute. That man just paid $100 for pancakes.
So did you have any good meals in Vegas?
Yeah, yeah, I had a steak.
And what was the most expensive meal you had in Vegas?
Well, I had a pancake.
Hey, you got three for that $100.
It was $33 a pancake.
Thank you.
I believe at this point we are...
Cheers, everyone.
Cheers.
Cheers.
To all of you.
Hey, real quick, while we're doing this,
everybody raise your glasses and say goodbye to our very good friend Barnaby.
To Barnaby.
To Barnaby.
To Barnaby.
I can't help but notice, Wendy, that you still have some of that left.
You did notice that, didn't you?
I did.
He's very observant.
He's stretching it out.
And that's what she said.
So Wendy, as a failed panel version, I don't think...
To my first failed panel, what I was prepared for was heckling from the audience.
It was over quick.
But what I wasn't prepared for was heckling, the constant heckling from the co-panelists.
Oh, I know most of you guys.
So anyway, I found that the angry old lady trick works really well.
At least it works really well for me.
So, you know, I think we should have more of this in security.
And then, of course, everybody wants to tell me that they're the best and the unique and
the first one to have done something really, really exciting and it's all because it's
not antivirus and it's not a firewall.
Everybody is like shooting down these things and everybody is saying the S word, signature.
No, we don't use signatures.
We're better than this because we don't use signatures.
We use rules.
Oh, rules.
Yeah.
Well, what do rules have to do with fiber optics?
Yeah, the golden rule.
The golden rule.
There you go.
Is this like the golden shower?
That's later.
That's later.
I need another drink for that.
We need to raise $3,000 for that.
It's like you're hitting on Judge Judy.
That's totally...
So it's not antivirus.
It's not a firewall.
And, of course, nobody is ready to say get rid of your antivirus, get rid of your firewall.
But everybody is saying these days they're great because they're not.
Also, they're the best because they have really big data.
Their data is really big.
It's much bigger than the other vendor's data.
Would you like to see our data?
We'll show you how big it is.
Would you like to measure our big data?
It's really...
And they want to stick their big data in everything.
Is the DI for data injection?
Wendy and I are both analysts.
I've had two big data presentations recently.
One was because it was backed by SQL Server.
And the other is because they deal with very large SharePoint servers.
So you're a double whore?
So nobody else on this crew knows what's coming next.
Because I made this up yesterday in the bathtub.
I can see it right there.
Oh, wait.
Save that.
That's coming up.
Fastest in real time because of...
Wait.
That says realest.
Yes.
We're the realest time.
We're not just fast.
We're not just real time.
We're the realest time.
We're realer time than they are.
Because hardware cloud.
Now, I'm just going to throw out an idea here.
Bingo.
What happens if you get cloud hardware?
Oh, then it gets really hard.
Yeah, it does.
That's what she said.
So all of this makes me do this.
I feel slightly uncomfortable.
I really need a helmet, actually.
That would help me.
That would help me during the presentations that I have to watch and listen to.
If I had a helmet, I would feel a lot better sometimes.
It'd make cleanup easier though, right?
So here's my solution to the problem.
We need more sound effects in security.
Is that how you spell more?
Well, yes.
Yes, it is.
I can't spell.
So I will go with you on that one.
There you go.
Just play some Deadmau5, Wendy.
So as you can see, actually, we're almost there because a lot of vendor names sound
like sound effects now.
I do.
We've got Hadoop.
We've got .
We have Splunk.
Wait.
Splunk's a real thing?
Where's Fred?
Where's Fred?
Hey, Dave.
What's gold got to do with Splunk?
Yes.
What's gold got to do with Splunk?
Well, if you have the gold, you get to Splunk.
Yeah.
That's right.
That's right.
What's that?
Oh.
Last corona, we're going to auction it for I don't know what.
Donation.
Donation.
Donation.
Donation.
We're going to auction it off for a corona.
Underwear?
Oh, god, yes.
Donation for the .
What's that sound?
Oh, god.
That's what .
20 bucks.
Oh, I hear 20, 20.
Do we have more than 20?
40.
Got 40 over there.
40 over there.
Very nice gentleman over there with the great cap.
Anybody over 40?
Over 40?
Sold.
Corona for 40.
Thank you, sir.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
This is just half a shot glass, Martin.
What are you doing?
All right.
So sound effects.
They're all just Norwegians.
They're all just Norwegians?
Yes.
So yes, sound effects.
We really need some sound effects.
When you're talking about people telling me about malware I love the sound effects.
it when they pronounce it malware, because then I think
of this.
Let's go to the malware.
Yeah, no.
So for malware, you know, anytime
somebody says malware now, I can start
thinking malware, and then I can start thinking like
elevator music. Any kind
of elevator music, or late
80s, you know, songs.
You know, everything that you hear in a
mall, you can start thinking about it
whenever somebody says malware.
But then we've got...
Wait, is there a Victoria's Secret in this malware?
Ooh, there could be.
That was your presentation.
Woo!
Five, four,
three, two,
one.
Oh!
Fail.
That would be a targeting fail,
not a weapons fail.
All right.
We need a flapjack trebuchet.
That's what we need.
Anybody want to...
You want to hear the ultimate fail?
I have an ultimate fail.
Ultimate fail, everybody.
My kids are here, you know,
so they can see what Dad does for...
For a living.
They're too busy
to come to my talk.
Oh!
Oh!
Wait, wait.
Just to be clear, one of them is teaching
scratch at
Roots, so...
Wait.
More than just...
He's working.
Wait.
What are they doing?
Right now, my daughter and her new best friend,
Syfy, are doing a scavenger hunt.
I don't know how that happened.
And my son is teaching.
He's doing his own talk,
so he can't come to mine.
You made it sound like they were like...
That is so awesome.
Okay, I think...
Jamie, I think you misunderstand...
Jamie, I think you misunderstand the word fail, then.
Dude, we're here.
What are we?
Hi.
Chop liver. Hi.
All right.
This is why I have my other mother?
Yeah.
Oh!
Oh!
Oh, love you.
All right, so...
Happy birthday!
Oh!
He caught it!
That man's gonna pass
fire school and I'll have to go to EWO school.
All right, guys, settle down,
because I've got to do some more sound effects here.
So, for analytics,
it's kind of like magic.
So, I think this should be...
Whenever somebody says analytics to you,
you should be thinking this.
Analytics.
It's magic.
To be honest, it looks like you were giving a handjob there.
This is neuro-linguistic programming, isn't it?
Yes, it is.
I'm going to condition a room full of people.
I'm going to condition everybody.
We overflowed the first donation buckets.
We're starting a new one.
Excellent.
Yeah!
Excellent.
So, all right, Jamie, this is for...
The next one is for you.
The next sound effect is for you,
because...
Cyber.
Cyber!
Cyber.
Every time you hear cyber,
I want you to think...
Cyber!
Wendy, Wendy.
I'm not sure if you know this or not,
but that sounds like a masturbation sound.
Maybe for you it does.
It does, actually.
Cyber.
Cyber.
Cyber, cyber, cyber.
Say it with me.
Cyber.
Cyber.
Cyber.
Cyber.
Cyber.
Cyber.
Cyber.
Cyber.
Cyber.
Cyber.
Cyber.
And track one is wondering what the fuck is going on.
But, Wendy, what does cyber have to do with hyper optics?
I have to do with the hyper optics.
All right, so...
Cyber.
Cyber.
So, next one, I want you to be thinking.
this. All right. And then finally, you know, some things are just too big. Yeah, that's
what I said. And then you woke up. And then I woke up. Some things, you know, just require
a whole different level of sound effect. All the things, yeah, yeah. All right. So, oh,
geez. All right. So, for the next one, are you ready?
Oh, my God. Oh, my God. Oh, my God. Oh, my God. Hairball. Hairball.
Rich. Wait, wait. That's not all. I want at least 20. And that's what she said.
Oh, my God. All right. So. That pancake should go for at least 20 bucks.
Hey, Rich, I need the finishing touch.
Did you say finish?
Finishing or facial touch?
How come you still have pants on?
But, David, what does gold have to do with it?
Thanks for doing it.
I've got time constraints.
But what does gold have to do with Rich's pants?
All right. All right. So, the very last sound effect, the last sound effect I want to share
with you.
You can get it by the ounce. Oh, I'm sorry. That was...
Hey. Hey. Hey. Cut down.
Whoa.
I'm talking.
It was a late coming...
All right. Last sound effect. It's got to be a big one. Let me see if I can do this
at the same time.
I love sound effects.
Don't do that.
Don't do that.
Oh, my gosh!
So, that's what I want you to think of when somebody says APT. Yes! Oh, my God! Because
that's back to the whole macho sexual thing, too.
It's so fluffy!
It is.
So, remember what did I tell you today?
What did I tell you?
Oh, my goodness!
This comes out.
All right.
So, I'll just leave that right here with you. Remember, cyber!
Nice!
Cyber!
Cyber!
Thank you.
If all is good, enjoy it.
Thank you.
Shit, my hand doesn't work.
That was awesome!
No, it went like this!
Oh, shit! There's more of this than there are of those.
Where the hell did...
Wait, are we throwing pancakes? No, no, no, we're not throwing pancakes.
Those are still too hot, dude. These are really, really hot.
That would have been a fail.
So, this took me about 20 minutes to put together.
I already did it. Hey, hey, we have something
even better, but wait until the end.
Just wait. I say that a lot, and they're always disappointed,
but, yeah.
So basically, this is my top five fails of the last year. And actually, the first one
isn't from the last year, it was actually from 2011. But I haven't had a chance
to share it yet. So 2011, I'm in Beijing, China, and I'm teaching
a cloud security class.
That's not my fucking problem. I'm up here.
Alright, can somebody...
Donating 60 for the dino toy.
The cyber dino toy. Cyber.
Go ahead, cyber your little heart out.
Cyber only cost her $60. Where's our AV people?
Alright, everybody over there, just stand in the hall,
like the aisle right there, and you'll be able to see my slides fine.
That's not working, is it? Don't worry, it's coming.
So if we can have AV support back there, I'll keep going. Do you know what happens when you fail on this panel, Rich?
You fail? Nothing. You get something big.
You get something big behind you from David.
Yeah, we'll do that at the end.
I have my fist. It works. So, I'm in China,
and I'm teaching a cloud security class, and I'm like, alright,
this is going pretty good. When you were in China, did you get approached
by any women to have sex with you? Just your mom.
Yeah.
You're the only cyber security expert
that has went to China and not been propositioned by the honeypot.
It was a honey net.
That means it was both men and women.
Alright, I don't know what's up with the AV,
because I'm sending out. So,
part of our labs for this is we do a bunch of stuff in Amazon Web Services.
I'm sitting there with the students, and look, this is a little difficult. I said,
no more than 15 students, and they all need to speak English, because I don't speak Chinese.
So, I had 30 students, and most of them didn't speak English.
A little challenging. There was no translators.
So, it was one of those experiences. This was for a large company.
I'm sorry, you coughed. What did you say?
So, blow me.
So, we do all of our labs in Amazon Web Services.
I have everything set up, and all of a sudden,
I'm getting pissed off, and I'm yelling at the network guy, because none of the students
can connect to their virtual servers. The whole thing is falling apart.
We're not able to do any of the labs. And I'm like, what the fuck is going on?
And then I take a step back, and I think for a moment.
So, I had 25 students. We launched 50 instances in Amazon.
We were making 50 SSH connections simultaneously
from one IP address.
And so, I'm thinking, the dude over at Amazon is thinking this.
Maybe this.
More likely this.
And if it's Dave Maynor,
this.
And really, probably this.
So, the end result was, for about a half an hour, we were blocked from Amazon.
Students couldn't do their labs. And eventually, they released it,
and for some reason, they decided we weren't a threat. So, that was number five.
And I gotta go fast, because Dave's got cool stuff, so I have to give him a little bit of time.
Number four. This occurred four days ago.
So, I'm teaching a cloud security class at Black Hat.
Now, you kind of think somebody knows where the Black Hat website is.
They probably can type in the URL.
They've heard of Black Hat.
It says four.
Five, four, three, top five.
So Dave can read, by the way.
Yeah.
It's a new thing, and he's totally excited.
So don't burst his bubble.
And four comes out for three.
It's also a great reading level.
Yeah.
Yes, it is.
So, I've got a bunch of students in my class.
And I almost feel bad about this one,
because the person involved is actually really, really nice.
And I feel even worse if she was in this room, but she's not.
So this person, early on, we identified that she teaches security at a college.
So I don't think a university, community college or something.
You're not telling that story, man.
Jamie was there.
He helped me co-teach the class.
And so she teaches at a college.
And super nice person.
And she said, look.
She sat me down, and it was very quiet.
It was like right as we went to a break.
She's like, okay.
So I hate to admit this.
I do mostly like the policy and management stuff.
But I don't know what you mean by key.
And I thought for a second.
And I thought.
And I thought.
And I thought.
And I'm like, you mean an SSH key?
And she goes, yeah.
And I'm like, so.
We had somebody teaching security classes at the college level
who doesn't know what an SSH key is.
So that was my favorite fail number four.
And you would laugh if you weren't so fucking disturbed.
At the concept.
Standing there going,
I have no response to that question.
I admit.
This is better than the very first one of these classes we taught.
Where I was trying to help somebody find her SSH key for putty.
And she couldn't find it.
I said, oh.
Well, we just need to go ahead.
Pull up file explorer.
And she goes, I don't know what that is.
Okay.
So here's file explorer.
I click, click, click.
And I go, okay.
I need you to search on star.pem.
Do you know what she typed in next?
S-T-A-R.
Guess who she worked for?
That would be the federal government.
Using her federal government laptop.
Yeah.
So, number three.
This also occurred at our class.
And Jamie is going to fucking love this one.
Oh, okay.
Look at the preview of the what's next.
So.
It's so good.
We can't show you until you donate more money.
Donate more money for the next slide.
That's not working.
So.
We're teaching this class.
And we have one guy.
And you know you always have.
Has anybody taught before?
Yeah, there's always the dude.
And it's always a guy.
Mostly.
And they always know a lot.
And they really want to impress you with their background.
So this individual.
Did I tell you by that time I broke into an apple?
Yeah.
You did three years ago here.
And now there's a full black hat talk over an exploit
that he did on the failed panel that nobody noticed.
It was a zero day at the time.
So this guy.
Hey Rich.
The technical term for that person is ask hole.
I spent eight years as an undergrad.
So apparently I don't know all the technical terms.
In Cherokee,
asshole means enlightened one.
Justice, my asshole enlightened your penis?
It's a failed panel.
It ain't gonna get better.
So.
This individual mentioned
how he just finished his.
Wait, where's the squeaky thing?
I need the squeaky thing.
Stat, stat, stat.
His cyber security graduate degree.
He informed us that before the very first talk.
And then he said.
In very ominous tones.
Have you ever heard of heap spray?
Well yes.
I've heard that term before.
He goes.
You know.
We were the guys that heap sprayed the college from Amazon.
And.
I thought about that for a moment.
And I thought about it for another moment.
And the first.
First words that were going through my head.
And I really didn't have the heart.
My name is Inigo Montoya.
You killed my father.
Prepare to heap spray the college from Amazon.
I just.
I honestly.
It is very rare I don't know how to respond.
To something along those lines.
I decided to look for heap spray defenses online.
And.
That was pretty much all I was able to come up with.
Later he got frustrated.
Because he couldn't realize.
That when you enter something into the user interface.
And if it has a space in there.
And then you get an error.
And it says no space is allowed.
That you just take the space out.
So that was.
It was a really good class.
But Rich.
What does spaces have to do with fiber optics?
So.
Number two.
Like Wendy.
I work as an analyst.
I'm willing to admit the name of my company.
Securusist.
Because I actually own the company.
And.
You know.
All these presentations.
What did you say?
Yeah.
Hey look.
So.
So.
Fortunately.
I hit people I know.
So.
We all know APT.
Is a big deal.
Rich I know.
I'm no expert here.
That looks racist.
Yeah.
That's what.
That's because Bing is racist.
Do you see how high.
Is spelled H-I-G-H.
Yeah.
So.
Martin.
I can't believe it's not water.
Pour some on me baby.
Remature there eh.
Too soon.
It won't come out.
Finally.
And.
And it goes everywhere.
Holy.
Yeah.
So.
I was talking to a web application.
Firewall vendor.
And they were talking about.
How they were going to prevent the APT.
The marketing guy at a reception.
We were at at RSA.
And I said.
Well you know you don't.
That's not how these guys do those things.
He goes I know.
But we did a survey.
And APT.
Yeah.
Is this our last one?
It's our last one.
Frisbee.
No less than $20.
Oh.
No, no, no, no, no, no.
Frisbee.
No, no, no, no, no, no.
These are free.
These are $20.
Hey guys.
Maynard's got good stuff.
So I got to get through this kind of quick.
This was by far.
My favorite.
This was the email of the year.
I got it about a week ago.
And I'm going to let you read this for a moment.
I am contacting you on behalf of ISACA.
Who would like to speak to you about.
How IT can form cyber security.
With COVID-5.
And.
I got one of these too.
This is critical for IT teams.
In the wake of escalating advanced persistent threats.
So apparently.
There is a control framework.
Known as COVID.
Which is exactly what this is.
To stop APT attacks.
Oh my God.
Whoa.
Now.
My absolute favorite fail.
Occurred literally 30 minutes before this talk.
Oh no.
So.
I walk out to get coffee.
I go into the normal area.
Of the hotel.
And I'm coming back.
With my cup of coffee.
That's the area that's normal.
Not the area with the normal people.
Correct.
No.
It was with normal people.
Not us.
The mundane area.
Otherwise we refer to them targets.
And.
And we're sitting there.
And somebody comes up to me.
And he's super nice.
Hey.
Excuse me, sir.
And I go.
Yeah.
I got all the goon stuff on.
And admittedly the badge doesn't mean anything.
But the dumb ass tactical vest.
Like whatever.
Does.
And he goes.
What's going on over in the convention center?
I'm like.
Oh.
It's DEF CON.
It's the world's biggest hacker conference.
And his face goes like this.
And I'm like.
And I'm not used to that reaction.
Most times people are.
Oh.
Well that's cool.
Or that's interesting.
Or blah, blah, blah.
They ask questions.
And I'm like.
Is something okay?
And he goes.
Wonderful.
And I'm like.
Why?
And he goes.
I work for the NSA.
No bullshit.
30 minutes before this talk.
All right.
So.
You've all come to the fail panel.
You've all had a great time.
Right?
I need this.
Because it's sunny here.
Wait.
Go away.
I almost forgot something.
Jack Daniel and I were talking.
Whoever gives us $100.
Gets to roll around in the money right now.
Come on.
Hands up.
Who's going to do it?
Who's going to do it?
Come on.
Any takers?
All right.
I need to go to the ATM.
But I'm doing it myself.
Hold on.
Tell me which ATM you're going to.
Just in case it's mine.
So.
I have here a collection of spoons.
Apparently to make pancakes.
Fail panel.
You need a lot of spoons.
I have had them signed.
This is the fail panel.
You can.
There is no spoon.
There's only Zuul.
That's right.
There are three of them.
Three of them.
There's only Zuul.
Exactly.
You cannot unsee this shit.
Barnaby would be so proud.
Holy.
You know.
My partner over there.
He's.
He's rolling around in the dough.
Wow.
That escalated quickly.
That's a lot of money there.
So.
I got these three spoons.
And I got.
I don't know how many of us are there.
A lot.
All of us.
All of us.
You can buy a spoon.
You can buy a spoon that comes with certain associated.
Thank you.
With.
Not just the authentication token.
But also the authorization.
The larger the dollar value.
The more authorization.
Is placed upon the spoon.
Such as the ability to have.
I don't know.
Chris Hoff lick the spoon for you.
Yeah.
Or the ability to.
Spank people with spoons.
You figure out what your off is.
Huh?
Does it have an SSH key?
So.
Spoons for the taking.
Come up with some money.
And figure it out.
Because apparently we have to let Dave Maynor talk.
Again.
So before Dave starts.
I just want to thank you everyone for coming.
And more importantly.
I want to thank the number of people.
Such as Liz and Martin and Jason.
Who helped make this possible.
Because we couldn't get those pancakes out to you without them.
Let's give a round of applause for the helpers.
And also for everyone who donated beer.
Please clean up after yourselves.
So Jack just pointed out to me.
Jack just pointed out to me.
That when Rich was rolling around on the money.
He was just reliving his days at Gartner.
Gartner jokes are always funny.
Hello everybody.
My name is David Maynor.
Most of you know me as.
Shit head.
That's great.
I'd like to start off by asking everybody.
What do I have to do with fiber optics?
What do I have to do with fiber optics?
The answer is.
The answer is absolutely nothing.
The answer is absolutely nothing.
So how many people were here last year?
I can't believe you came back.
You foolish people.
So last year I did this thing.
So last year I did this thing.
With Bob and Hanson.
With Bob and Hanson.
So I have become known to some people as a fail whisperer.
So I have become known to some people as a fail whisperer.
Because I am very good at inducing fail in things.
In fact, here's a picture of me.
That is fail.
Look at that.
I have two chins.
Fail.
I'm also wearing a tie.
Fail.
So I work with fail like most artists work in fine oils.
So I work with fail like most artists work in fine oils.
I get to pen testing.
So I fail a lot.
One example is that many years ago
One example is that many years ago
Jacob Applebaum who is a complete media whore
wanted to distribute
wanted to distribute
He has apparently stopped being a media whore
and now has become a media darling.
But at the time he wanted to distribute something to CCC
But at the time he wanted to distribute something to CCC
and he wanted to prove how awesome he was
by posting a version of it ahead of time
of redacted information.
So I thought this was stupid.
So I wrote a blog post about it
and here's his document that was redacted.
So the funny thing about this
is that while you can redact large portions of the document
is that while you can redact large portions of the document
you can't redact the font size.
So if you went through and measured
you could figure out how many letters were in each word
of small redacted blocks.
It was pretty easy to find out.
So we were actually able to
before his big CCC presentation
decipher his message.
And what did the message say?
I found a new way to apply hair product
And what did the message say?
I found a new way to apply hair product
and it makes it look like I just rolled out of bed.
No seriously.
He was actually talking about something
with MD5 and collision.
It wasn't actually funny.
The funny thing was that he posted something
he thought was secure
and everybody was able to read it ahead of time.
So the reason I'm going through this
is I'm giving you my credentials
for why I'm good at causing fails.
But this year
I have no fail to offer.
I only have success
and unfortunately my success is horrible.
So that was some fail.
So one quick story
of a recent pen test
we had gone right.
I can't really tell you
the client
but it's a really funny thing.
When we came in
they were gung ho.
They were ready
for us.
They let us know
right ahead of time
how we just weren't doing anything.
We weren't getting in.
We weren't breaking anything.
So the window comes around
five to seven minutes into the window
we had broken into everything
we had domain admin remotely.
So I didn't know what else to do.
Normally at this point
you start writing a report
but if you know me
I don't like to write
so I'm calling the registrar.
And I can't mention the registrar's name.
But we called the registrar
and I in my greatest southern hick voice
went oh my god
my boss is in Turks and Caicos
and our site just crashed.
I have to change our DNS over
but I do not have the password.
Can you help me out?
And the person who sounded like
they were in Kansas or Washington
or somewhere went well gosh
you need the password to do that.
But I don't have the password.
I was trying to channel
a Baptist minister
at the pulpit.
Because nobody wants to disagree
with the man of God.
Is there anything you can do
that you work for this company?
What do you want son?
What can I do for you?
This is a little bit of an exaggeration
but it's not much.
Can you send me an email
from your work account?
Can you put a page on the website
to prove that you have control over it?
I was like yes son I can.
Let me go right ahead.
And since I had domain admin
it was pretty easy.
You just right click in the IIS
directory.
I feel
I feel a disturbance
in the force.
It's a small disturbance.
It's more of a ripple actually.
So I right click in the IIS directory
I create a file called
oh wait I can't say his name.
I right click
on a directory
create a file
and I say redacted.
Does this prove that
I work for the company?
I give him the URL.
He goes to it and looks at it and says
yeah sure.
And then gives me the password.
To which I spent
the rest of the night figuring out
how to do split routing with their email
so I could get a copy of all their email
coming in via DNS.
So I call them
the next morning at 8am and I ask
the system admin why he hasn't gotten any
email since midnight.
It ain't over man.
It ain't over.
They were
they were shocked.
They were appalled.
Some would say they were shocked and appalled.
Were they odd?
No they were pretty normal.
They were shocking and odd?
Which brings me
quickly to why
I have no
this is all funny but I have
wait what?
Time.
I have no actual fail this year to talk about.
Last year I did a trick
and it was a very funny magic trick.
Yeah no I did two tricks.
Well one guy was named Rich
he didn't pay well but then again
I didn't have to do much.
It was over quick.
So I did this trick with an iPod
where I could be within 100 meters
of every jukebox
that you could cue music on
and I could make all of these jukeboxes
play um bop.
And I thought that was hilarious
for months after that.
Anytime somebody would check in on Foursquare
I would find if they had a jukebox
I would play um bop.
I thought that was hilarious.
So Chris Hoff tweeted
where he was going to a bar
and minutes later Dave
hacked his location on his computer
and then played um bop
on the local jukebox.
So that was funny.
If you go back and look at the
video and audio from last year
the last thing I say before I walk off stage
is
record executives
use jukebox plays
to determine how popular a group is.
It's my calling in life
to get Hanson
to release a new album.
See I thought I was joking.
I didn't believe
in the power of the film.
I just wanted to put this picture up again.
I laughed when I figured all this out.
She had a gun.
I was like you know what
it deserves to be a presentation two years in a row.
But I didn't believe in the power
of the fell panel.
So I want to let you all know
I am witnessing to you.
The fell panel power is real.
It is real.
It is so real.
Hanson released a new album.
Look at the paint.
Believe in the fell panel.
Worship
the fell panel.
We
change the world here
every summer.
I want you to know we don't do it
because we're egotistical sons of bitches like Robert Graham.
We do it
because we
are trying to help everyone
have a better life.
And I believe Hanson
will have nothing to do with that.
Thank you.
But Dave, what does Hanson
have to do with fiber optics?
That's how rock stars do it.
It burns.
Oh, it's just him.
Do not once.
You know what?
I have never, never seen a crowd
throw Bono's shirt back.
I'm going to tell you right there,
we have some very polite fans.
Enjoy the rest of the show.
